You are here:

Privacy Policy

At St John Ambulance we take your privacy very seriously and are
committed to protecting the security of your personal
information.

This Policy explains how we, St John Ambulance, and our
affiliated trading company Support St John Limited may collect and
use the information you give us, the conditions under which we may
disclose it to others and how we keep it secure.

We may change this Policy from time to time so please check this
page occasionally to ensure that you’re happy with any changes. By
using our websites, you agree to be bound by this Policy.

St John Ambulance has appointed a Data Protection Officer, who
can help you with any queries about the information in this privacy
policy: by email- data-protection@sja.org.uk
or by post- marked for the attention of the Data Protection Officer
at St John Ambulance, 27 St John's Lane, London EC1M 4BU.

This Policy contains the following sections:

1. WHO WE ARE

St John Ambulance is a registered charity in England and Wales
(charity number 1077265-1). We are also a company limited by
guarantee (company number 3866129) and have a wholly-owned trading
subsidiary, Support St John Limited (company number 1181644), each
of which trades as St John Supplies.

The information in this Privacy Policy relates to personal
information which is obtained by the above entities and for which
St John Ambulance is the Data Controller under data protection
legislation.

2. WHAT TYPE OF PERSONAL INFORMATION IS COLLECTED FROM
YOU

The personal information we collect from you is limited to what
is necessary to enable us to carry out the purposes for which
it is collected. The type of personal information we collect
depends on the context of your interactions with St John Ambulance
and the choices you make, including your privacy settings.

The data we may collect, store and use can include the
following:

• Name and contact information. We may collect your first and
last name, title, job title and company name, email address, postal
address, phone number and other similar contact data.

• Passwords, password hints and similar security information
for authentication and account access.

• Payment information. We collect data necessary to process
your payment if you purchase one of our goods or services or make a
donation, such as your payment instrument number (such as a credit
card number or bank account number) and the security code
associated with your payment instrument.

• Whether you are a U.K. tax payer for claiming gift aid.

• Any personal information which you choose to provide us with
in correspondence with you.

• Photographs, videography and CCTV footage.

• Your I.P. address (or Internet Protocol Address). This
is a unique address that computing devices such as personal
computers, tablets, and smartphones use to identify itself.
An I.P. address is analogous to a street address or telephone
number and could therefore be used to identify you.

• We may collect other online identifiers including cookies
information (for more information please see section 14 (‘Cookies
Policy’)), the internet browser and devices you are using and the
pages you visited on our website and how long you visited us
for

You have choices about some of the personal information we
collect. When you are asked to provide personal information, you
may decline. Please note that if you choose not to provide
personal information that is necessary to enable us to carry out
your request- for instance, to make a donation, for information or
to purchase one of our products or services- we may not be able to
fulfil that request.

We may provide links via St John Ambulance’s websites to other
websites or you might independently visit the website of a third
party who provides services on our behalf, such as our lottery or
event booking service. The privacy practices of these
third-party websites are outside our control and in these cases,
you should check the privacy notices of any third-party websites
before disclosing any personal information.

In some cases, you might make a donation to us via a third-party
payment processor, in which case you should check the privacy
policy of that third party as the data controller of your personal
information.

3. HOW WE COLLECT YOUR PERSONAL INFORMATION

There are various ways you might share your personal information
with St John Ambulance, depending on how you interact with us.
At present we offer the following channels of communication
(though not all may be available to you and will depend on the
reason for your contact with us):

• Websites- online forms

• Paper forms

• Call-centres

• E-mail

• Text

• Face to face

For instance, you might provide personal information when making
a donation to us through our websites, by text, by telephone or by
completing a direct debit form which you send to us by post.

You might send us an e-mail requesting support with a product or
service, and personal information might be collected by us to
enable us to deal with your enquiry.

When you contact us through our call-centres, such as for
customer support or to place an order, telephone conversations with
our representatives may be monitored and recorded.

Some of our premises and vehicles are monitored by CCTV and
footage may be captured for security and safety purposes.

When you visit our websites, we use marketing analytics products
and providers to measure the effectiveness of our websites, which
may entail the collection of personal information in the form of
online identifiers.

We may also obtain personal information from third parties.
We protect data obtained from third parties according to the
practices described in this Privacy Policy, plus any additional
restrictions imposed by the source of the data. These
third-party sources vary over time, but have included:

• Someone who may have nominated you for an Everyday Heroes
Award.

• Someone who may post a photograph or information relating to
you to our social media platforms.

• Data brokers from which we purchase information for potential
business customers (for example, name, job title and business
address).

• Partners with which we offer co-branded services or engage in
joint marketing activities.

• Publicly-available information such as newspaper or online
media items; public posts on LinkedIn or social media; open
government databases such as Companies House; databases of
grant-funding opportunities and other data in the public
domain. Please refer to section 7 (‘Profiling’) below for
more information about how we may use this information.

4. HOW WE USE YOUR PERSONAL INFORMATION

There are various ways in which we may use or process your
personal information. We list these below and the legal basis
we rely on in each case.

Consent

Where you have provided your consent, we may use and process
your personal information to:

Contact you from time to time about our campaigns, activities,
ways you can support St John Ambulance (such as volunteering
opportunities and fundraising appeals), events, products, services,
youth programmes or information and know-how which we reasonably
think may be of interest to you. Please be assured that we
will not spam you and such communications will be aligned to the
consent you have given us.

Promote St John Ambulance campaigns, activities, ways to
support St John Ambulance (such as volunteering opportunities and
fundraising appeals), events, products, services, youth programmes
or information and know-how, using a review you have written, a
case study about you, photograph or video footage featuring you (or
a child aged under 13). These may be featured in social
media, printed and digital media, television and radio
communications.

Set up and administer a membership for our Cadets or Badgers
programmes in relation to a person aged under 18.

Provide you with medical diagnosis and treatment.

You can withdraw your consent at any time by contacting us using
the details provided within section 5 below (‘Your Right To
Withdraw Consent To Processing Of Personal Information’) or, in
relation to any marketing messages you receive, by using the
unsubscribe option included in those messages.

Contractual performance

We may use and process your personal information to perform a
contract with you (or a contract made with someone else which
requires us to provide goods or services to you, such as a training
course) and to fulfil and complete your orders for goods, services,
venue hire, and other transactions entered into with us.

Legitimate interests

We may use and process your personal information where it is
necessary for us to carry out activities which are in our
legitimate interests as a charity. The main legitimate
interests we rely on are:

(i)
to fulfil the charitable purposes of St John Ambulance by
fundraising through donations, events, sales of supplies and
training courses and by sustaining and raising the profile of our
organization through careful marketing and other activities.

(ii)
To operate lawfully and effectively and to administer all aspects
of our business as a charity.

Processing donations and legacies

We will process your personal information to fulfill your
request to make either a one-off or regular donation to us and to
carry out reasonable administration of your donation, which could
include thanking you and confirming your direct debit details with
you. Where you have made a gift-aid declaration this will
include processing your information to enable us to claim
gift-aid. We will also process personal information where
reasonably required to administer a legacy that has been left to St
John Ambulance.

Processing membership
subscriptions

We will process your personal information to fulfill your
request to pay for a membership of our Cadets or Badgers programmes
relating to a child under 18 and to carry out reasonable
administration of their membership, including communicating with
you about activities, camps and training.

Supporting customers and supporters with requests
for information

We will process your information to fulfill your request for
information about becoming a supporter (for example, a volunteer or
donor), campaigns, activities, events, products, services, youth
programmes or information and know-how.

Supporting customers with orders of first aid
supplies, booking training courses and other
enquiries

We will process your personal information to respond to any
correspondence you send us and fulfill the requests you make to us,
both before and after purchase. We will also process your
personal information to carry out reasonable administration of your
order or booking.

Processing necessary for us to understand and
respond to customers’ and supporters’ needs

We may process personal information to analyse, evaluate and
improve your customer/supporter experience of our call-centres and
web-sites and to improve our products and services (we will
generally use data amalgamated from many people so that it doesn’t
identify you personally).

You may choose to give us feedback on any of your experiences
with St John Ambulance and your feedback together with any personal
information you provide will enable us to analyse, evaluate and
improve your customer/supporter experience and to respond to you as
appropriate.

We may undertake market analysis and research (including
contacting you with customer/supporter surveys) so that we can
better understand you as a customer/supporter and provide tailored
information, products and services that we think you will be
interested in. We will only send marketing communications to you if
you have provided your consent for us to do so or in certain cases,
if we have a legitimate interest in doing so.

Profiling our existing and potential customers and
supporters

We use profiling and screening techniques to ensure
communications are relevant and timely, and to provide an improved
experience for our supporters. Please see section 7
(‘Profiling’) for further information. You can let us know if
you do not want us to use your personal information in this
way.

Processing necessary for us to promote our business,
products and services and measure the reach and effectiveness of
our campaigns

We may send you marketing information from time to time after
you have purchased a product or service from us or made a
purchasing enquiry, closed your browser with items in your shopping
basket or requested other information of interest in a business
context. We will only contact you with information about our
own products, services and any other information we believe may be
of interest to you (and in ways the law allows), which we hope you
will like. You have the right to object to us sending you this
information at any time. Please see section 13 for
information on how to do this (‘Your Rights in Connection with
Personal Information’).

We may also contact you from time to time with marketing
information (unless you object) if you are acting on behalf of a
business or where we have obtained your business contact details
from a data broker or public business directory. In relation
to any such information we send by email or SMS, we will include an
option allowing you to object to receiving future messages by
unsubscribing.

We may contact you with targeted advertising delivered online
through social media and other platforms operated by other
companies, unless you object. You may receive advertising based on
information about you that we have provided to the platform or
because, at our request, the platform has identified you as having
similar attributes to the individuals whose details it has received
from us. To find out more, please refer to the information provided
in the help pages of the platforms on which you receive advertising
from us.

We may process your personal information to identify and record
when you have received, opened or engaged with our website or
electronic communications. Please see Section 14 (‘Use of
Cookies’) for more information.

We may process your personal information to administer
competitions, promotions, lotteries or raffles that you enter with
us from time to time and to distribute prizes.

We may use photographs or video footage which feature you, but
which do not identify you by name, to promote St John
Ambulance.

Processing necessary for us to operate the
administrative and technical aspects of our business efficiently
and effectively

We may have to share your personal information with third
parties, as described in section 6 (‘Data Sharing’) below.

We may have to verify the accuracy of information that we hold
about you and create a better understanding of you as a
customer/supporter.

We may process your personal information for network and
information security purposes, for example, for us to take steps to
protect your information against loss, damage, theft or
unauthorised access.

We may process your personal information to comply with a
request from you in connection with the exercise of your
rights. For example, where you have asked us not to contact
you for marketing purposes, we will keep a record of this on our
suppression lists in order to be able to comply with your
request.

We may process your personal information to inform you of
updates to our terms and conditions and policies.

Processing necessary to protect our premises,
property and people

We may process personal information for crime prevention and
detection purposes and to keep our people safe. For example,
some of our premises have CCTV cameras and CCTV is also installed
on certain vehicles including some ambulances.

Legal obligation

We may process your personal information to comply with our
legal requirements (for example, to contact you if there is an
urgent safety or product recall notice and we need to tell you
about it).

Other grounds for
processing

Vital interest

Sometimes we will need to process your personal information if,
for example, there is an urgent safety or product recall notice and
we or the manufacturer of the product needs to tell you about it,
or for life saving medical diagnosis and treatment purposes.

Change of purpose

We will only use your personal information for the purposes for
which we collected it, unless we reasonably consider that we need
to use it for another reason and that reason is compatible with the
original purpose. If we need to use your personal information
for an unrelated purpose, we will notify you and we will explain
the legal basis which allows us to do so.

Please note that we may process your personal information
without your knowledge or consent, in accordance with this Policy,
where this is required or permitted by law.

Social media content

We may collect your personal information when you post content
about yourself to St John Ambulance’s social media channels (for
example, by tagging the official SJA account, or the use of SJA
specific hashtags). St John Ambulance may share your post or image,
including any personal information, across our official social
media channels including but not limited to Facebook, Twitter,
LinkedIn, and Instagram. We may also reuse this information,
including images of you, for internal purposes (e.g. to share your
feedback or illustrate news stories) which we consider to be in the
legitimate interests of the charity. If you do not wish for us to
use your personal data in this way, please contact the Data
Protection Officer at data-protection@sja.org.uk.

5. YOUR RIGHT TO WITHDRAW CONSENT TO PROCESSING OF
PERSONAL INFORMATION

If you have consented to the collection, processing and transfer
of your personal information for a specific purpose(s), you have
the right to withdraw your consent for that specific processing at
any time. To withdraw your consent, please contact our Data
Protection Officer by email- data-protection@sja.org.uk
or by post- marked for the attention of the Data Protection Officer
at St John Ambulance, 27 St John's Lane, London EC1M 4BU.

As quickly as possible and in any event within 30 days of
receiving notification that you have withdrawn your consent, we
will no longer process your information for the purpose or purposes
you originally agreed to (unless we have another legitimate basis
for doing so in law). Please note that if you ask us to stop
sending marketing information we will update our records to stop
further mailings as quickly as we can, but you may still receive
further mailings which were already in progress prior to your
asking us to stop for up to 2 months.

The withdrawal of your consent will not affect the lawfulness of
our processing based on your consent before you withdrew your
consent.

6. DATASHARING

We will not sell or rent your information to third parties.

We may have to share your data with third parties, as described
below. If we do, you can expect a similar degree of
protection in respect of your personal information to that provided
by us. We require third parties to respect the security of
your data and to treat it in accordance with the law. We do
not allow our third-party service providers to use your personal
data for their own purposes. We only permit them to process
your personal data for specified purposes and in accordance with
our instructions.

We may pass your personal information to our third-party service
providers, including contractors and designated agents, and other
associated organisations for the purposes of completing tasks on
our behalf (for example to process donations and payments, to
fundraise, send you St John Ambulance communications, to supply you
with goods and services, to resolve product queries or issues and
to assist us with marketing analysis). However, when we use
third party service providers, we disclose only the personal
information that is reasonably necessary to deliver the
service.

We may transfer your personal information to a third party as
part of a sale of some or all of our business and assets to any
third party or as part of any business restructuring or
re-organisation, or if we’re under a legal duty to disclose or
share your personal data in order to comply with or enforce any
legal obligation or rights or to enforce or apply our terms of use
or to protect the rights, property or safety of our supporters and
customers. However, we will aim to protect your privacy.

We may share your personal information with our parent charity,
The Priory Of England And The Islands Of The Most Venerable Order
Of The Hospital Of St. John Of Jerusalem (charity number 1077265)
where reasonably necessary.

Data transfers to parties outside the
EU

There may be some instances where your personal information is
processed or stored outside of the EU. In those instances, we
will ensure that appropriate safeguards are in place for that
transfer and storage as required by applicable law.

St John Ambulance operates in the Baliwicks of Guernsey, Jersey
and in the Isle of Man, each of which are outside of the EU.
Personal information provided to St John Ambulance may be given to
our local offices in those territories and stored in data retrieval
systems in the territory, but only when you request information or
services relating to our operation in those territories.
There is an adequacy decision by the European Commission for these
countries, which means that they are deemed to provide an adequate
level of protection for your personal information.

7. PROFILING

Profiling is often used in direct marketing and involves
analysing data to improve the targeting of communications. We
may use profiling and screening techniques to ensure communications
are relevant and timely, and to provide an improved experience for
our supporters. If you do not wish your data to be used in
this way, you are entitled to object. Please see section 13
below (‘Your Rights in Connection with Personal Information’) on
how to do this.

We may carry out profiling of potential donors to ensure that we
are engaging with the people most likely to support St John
Ambulance. Profiling allows us to target our resources
effectively and help ensure that we only send you information we
reasonably think will be of interest to you.

We may also use profiling techniques to perform Due Diligence
research as required by the Fundraising Regulator’s Code of
Fundraising Practice, for example when certain levels of donation
are made. More details can be found at www.fundraisingregulator.org.uk.

When building a profile, we may analyse geographic, demographic
and other information relating to you in order to better understand
your interests and preferences, so we can contact you with the most
relevant communications. In doing this, we may use additional
information from third party sources when it is available, such as
publicly available data about you (for example, addresses, listed
directorships on Companies House, property prices on the Land
Registry or typical earnings in a given area). We may also
gather additional data which is freely available in the public
domain (for example, newspaper articles or online sources).

We do this because it allows us to understand the background of
the people who support us and helps us make appropriate requests to
supporters who may be able and willing to give more than they
already do and to predict the level at which donors may be able to
support St John Ambulance in the future. Importantly, it
enables us to raise more funds, sooner, and more cost-effectively,
than we otherwise would.

8. HOW LONG WE KEEP YOUR PERSONAL INFORMATION
FOR

We will only retain your personal information for as long as
necessary for the purposes we collected it for, as set out in
our Data Retention Schedule, including for the
purposes of satisfying any legal, accounting or reporting
requirements. To determine the appropriate retention period
for personal information, we consider the amount, nature and
sensitivity of the personal data, the potential risk of harm from
unauthorised use or disclosure of your personal information, the
purposes for which we process your data, the potential risk of harm
from unauthorised use or disclosure of your data, the purposes for
which we process your personal information and whether we can
achieve those purposes through other means, and the applicable
legal requirements.

In some circumstances we may anonymise your personal information
so that it can no longer be associated with you, in which case we
may use such information without further notice to you.

For further information about the retention period in a
particular case, please contact our Data Protection Officer by
email- data-protection@sja.org.uk
or by post- marked for the attention of the Data Protection Officer
at St John Ambulance, 27 St John's Lane, London EC1M 4BU.

9. HOW WE KEEP YOUR DATA SAFE

St John Ambulance would like to reassure you that we use
appropriate security measures to protect your personal information
against unauthorised or unlawful processing and against accidental
loss, destruction or damage. These measures may include, but
are not limited to, a range of organisational safeguards such as
staff training, and duties of confidentiality and the following
technical safeguards listed below. We have put in place
procedures to deal with any suspected data security breach and will
notify you and any applicable regulator of a suspected breach,
where we are legally required to do so.

Encryption

Encryption is the process of converting data to an
unrecognizable or "encrypted" form. This means that only the sender
and intended recipient can view it in a meaningful way. If
the encrypted data is stolen, it should not be possible to change
it back to readable data.

Pseudonymisation

Pseudonymisation changes data that can be used to identify a
person into data that can’t be used to identify a person. This is
done by replacing the data that can be used to identify someone
with other data, for example, changing someone’s date of birth to
01/01/1700.

As well as requiring staff to enter usernames and passwords, our
systems also check that a particular computer or program is
authorised to access and manipulate data before allowing it to do
so.

Access controls and role based access
controls

Staff are prevented from accessing our systems unless they enter
their user name and password. In addition, we restrict whose
personal data each user can access depending on their role at St
John Ambulance and individual data files are password
protected. We also limit access to your personal information
to those agents, contractors and other third parties who have a
business need to know. Everyone with access to your personal
information are subject to a duty of confidentiality and will only
process your personal information on our instructions.

Data back-up and restoration

We regularly back-up our systems and data which means that we
can restore or recover the system and data from a back-up file.

Network controls

We protect our network by using Firewalls that only allow access
between different networks based upon strict security criteria.
For example, a Web Application Firewall filters, monitors and
blocks any internet traffic to and from a web application such as
webmail and online forms. It detects and blocks anything
malicious.

System testing and monitoring

We regularly test whether our systems are secure. We also
engage independent companies to test whether our systems are
secure. We regularly monitor our systems for signs of hacking
and attacks and we use anti-virus software to detect and prevent
computer viruses.

Data Loss Protection tools

Data Loss Protection tools place limits on where users can save
data. For example, users might be prevented from sending data
by email or saving it onto their home computer.

Mobile Device Management

Mobile phones and laptops are mobile devices. Mobile
Device Management allows organisations to limit the locations where
personnel can save data to on their mobile device. When a staff
member of St John Ambulance leaves our organisation or loses a
laptop or mobile, the data can be wiped from the laptop or mobile
remotely.

10. CHANGES TO YOUR PERSONAL
INFORMATION

Please let us know if your contact information changes so
that we can ensure that our records are accurate and up to
date. You can request that we change your contact details by
contacting our Data Protection Officer by email- data-protection@sja.org.uk
or by post- marked for the attention of the Data Protection Officer
at St John Ambulance, 27 St John's Lane, London EC1M 4BU.

11. YOUR RIGHTS IN CONNECTION WITH
PERSONAL INFORMATION

By law you have the right to:

• Request access to your personal information. This
enables you to receive a copy of the personal information we hold
about you and to check that we are lawfully processing
it.

• Request correction of the personal information we hold about
you. This enables you to have any incomplete or inaccurate
information we hold about you
corrected.

• Request erasure of your personal information. This
enables you to ask us to delete or remove personal information
where there is no good reason for us to continue processing
it. You also have the right to ask us to delete or remove
your personal information where you have exercised your right to
object to processing (see below).

• Object to processing of your personal information where we
are relying on a legitimate interest (or those of a third party)
and there is something about your particular situation which makes
you want to object to processing on this ground. You also
have the right to object where we are processing your personal
information for direct marketing purposes.

• Request the restriction of processing of your personal
information. This enables you to ask us to suspend the
processing of personal information about you, for example if you
want us to establish its accuracy or the reason for process
it.

• Request the transfer of your personal information to another
party.

If you want to review, verify, correct or request erasure of
your personal information, object to the processing of your
personal data, or request that we transfer a copy of your personal
information to another party, please send a written request to our
Data Protection Officer by email- data-protection@sja.org.uk
or by post- marked for the attention of the Data Protection Officer
at St John Ambulance, 27 St John's Lane, London EC1M 4BU.

We will ask you for information to confirm your identity and,
where applicable, to help us search for your personal information.
Except in rare cases, we will respond to you within 30 days
after we have received any request (including any identification
documents requested)

12. USE OF COOKIES

To make full use of the online shopping and personalised
features on St John Ambulance websites, your computer, tablet or
mobile phone will need to accept cookies, as we can only provide
you with certain personalised features of this website by using
them.

Our cookies don't store sensitive information such as your name,
address or payment details: they simply hold the 'key' that, once
you're signed in, is associated with this information.

You can restrict, block or delete cookies from St John Ambulance
at any time through your browser. Each browser is different, so
check the 'Help' menu of your particular browser (or your mobile
phone's handset manual) to learn how to change your cookie
preferences.

We have appointed a Data Protection Officer to oversee
compliance with this Policy. If you have any questions about
this Policy or how we handle your personal information, please
contact our Data Protection Officer by email- data-protection@sja.org.uk
or by post- marked for the attention of the Data Protection Officer
at St John Ambulance, 27 St John's Lane, London EC1M 4BU.

14. RIGHT TO MAKE A COMPLAINT

You have the right to make a complaint at any time to the
Information Commissioner's Office (ICO), the UK supervisory
authority for data protection issues. The contact details for
the Information Commissioner’s Office, the data protection
regulator in the UK, are below: